alexander.schaeferdiek/knowledge-base
1
0
Fork 0
Code Activity
knowledge-base/KB/Linux/Server/ArchLinux/Security hardening.md

2.5 KiB
Raw Blame History

creation date tags
2022-01-08
note
linux
archlinux
security
hardening
docker

OS - Arch

See https://wiki.archlinux.org/title/Security

  1. Use sudo for everything and disable root with passwd --lock root
  2. Install linux-hardened and set as default

If using rootless #docker, enable CONFIG_USER_NS_UNPRIVILEGED.

ssh

ssh-guard allowed.

nginx

Execute the following

mkdir -p /etc/nginx/ssl
openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048

In nginx.conf, set the following inside the http block:

# security hardened
server_tokens off;

For each server block, set the following

listen 443 ssl http2;

# enable session resumption to improve https performance
ssl_session_timeout 5m;

# Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
ssl_dhparam /etc/nginx/ssl/dhparam.pem;

# enables server-side protection from BEAST attacks
ssl_prefer_server_ciphers on;

# disable SSLv3(enabled by default since nginx 0.8.19) since it's less secure then TLS http://en.wikipedia.org/wiki/Secure_Sockets_Layer#SSL_3.0
ssl_protocols TLSv1.2;

# ciphers chosen for forward secrecy and compatibility
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";

# security hardened
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header Content-Security-Policy "https; default-src 'self'; script-src 'self'; img-src 'self' data:;";
# OR: add_header Content-Security-Policy "https; default-src 'self'; script-src 'self'";

# no access logs
access_log off;

PHP

session.cookie_secure = true
session.use_only_cookies = 1
session.cookie_httponly = true

journald

Set maximum journal retention in /etc/systemd/journald.conf:

MaxRetentionSec=604800
MaxFileSec=86400

This makes logs only available for seven days and rotate each day.

Apply changes directly with journalctl --vacuum-time=7d.

Other services

Set log level to warn or error